Is it more cost effective to build my own PFSENSE box or just buy a small one?
-
My LAN is gigabit all around except my current PFsense box, which is really the choke point of the system. It is super old hardware and one of the nics in it is absolutely super slow. I can't recall, but it is pretty awful.
I don't really see myself running any other software on pfsense other than what comes with it stock. I just like it because it is so configurable, however I would like the option to be able to run other programs/apps/whatever you want to call them on pfsense if I did see a need. Would the i3 version suffice for this or should I bump up to the i5?
I do have my current PFsense box running on VPN.
I built my own pfSense router based on J3355B for $106.68 – granted, I already had a 1U case that came with a PSU. But even if you add a picoPSU it would add about $10-$15. If you need a rackmount case then there is plinkUSA.com. Cheapest 1U rack case that will fit the J3355B is for $45. Or you can browse your local craigslist and get any case for about $10-$25 and replace whatever internals with a J3355B. It will handle gigabit WAN easily. What is your ISP speed currently? As long as you don't require more than 200-300Mbps over VPN, J3355B should serve your needs well since you mentioned you don't intend to run too many packages.
-
J3355B SoC https://www.newegg.com/Product/Product.aspx?Item=N82E16813157726&cm_re=j3355b--13-157-726--Product – $56.70 NEW + 1.99 Shipping
-
RAM - https://www.ebay.com/itm/SK-hynix-4GB-2Rx8-PC3L-12800S-DDR3-1600-SO-DIMM-204pin-HMT351S6EFR8A-PB-RAM/202274131369?epid=215825964&hash=item2f187a4da9:g:-wYAAOSw3MpavESY – $19.99 NEW
-
Intel i340-T4 - https://www.ebay.com/itm/IBM-Intel-Quad-Port-PCIe-Ethernet-Adapter-Low-Profile-94Y5167-49Y4242-Free-Ship/292491780397?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2055119.m1438.l2649 – $18.95 USED. I paid $28 for this when I bought it from a different seller. T2 might be cheaper if you look hard enough.
-
Case - about $10 USED to $45 NEW based on what you want
-
picoPSU - https://www.ebay.com/itm/NEW-DC-12V-250W-24Pin-ATX-Power-Supply-switch-PicoPSU-mini-ATOM-HTPC-ITX-PICO/323094106833?hash=item4b39e8d2d1:g:xoMAAOSwhvFZH~6g – $13.20 for a 250W NEW + 1.99 Shipping. You don't need that much. If you search for a 80W, you might find it cheaper
That's when buying most of the components NEW except the NIC. Totals up to $112.82 + case – the cost shouldn't go beyond $150 even if you buy a new case. There might be other non-rackmount cases that might be cheaper too and since as you mentioned, you have been using pfSense on super old hardware, this should feel like a great upgrade for the price.
Thanks! I may just go this route. My ISP speed is only 50mb/s, so quite slow. How does this setup compare to the i3 or i5 of the qotom machines? I don't need a rack mount, a simple ITX case for this should work just fine.
-
-
Thanks! I'll probably go with your $150 setup or the qotom setup if this doesn't pan out. Hard to say no to $25 if it'll work. It has two LAN ports in the back as well :)
I looked locally to find a used mini itx case to help keep costs down and I found one with everything it. I may even be able to use what's in it for the entire setup. I have an offer in of $25 lol. It has an intel core i3, but that's all the info I have on it minus basic ram, hdd info.
-
You might also want to make sure that i3 supports AES-NI so that it's future proof.
-
Thanks! He didn't accept my initial offer, but said he would take $50 and I get a 250W power supply that's separate from it that I could use for something else, so still not a bad deal since it is a case, board, and the board is loaded with the necessary components to run a small computer. Anyways, i asked for the CPU and Board Model.
Gigabyte GA-H77N-WIFI
Intel Core i3 3225Let me know what you guys think?
-
It isn't AES-NI. How big of a deal is this? It's an 1155 socket, so sure there has to be a processor I could replace it with if needed???
Does the newer version of pfsense require AES-NI?https://ark.intel.com/products/65692/Intel-Core-i3-3225-Processor-3M-Cache-3_30-GHz
Here is the board: https://www.gigabyte.com/nl/Motherboard/GA-H77N-WIFI-rev-10#ov
It looks like I would have plenty of CPUs that I could choose from that would fit the LGA 1155 Socket and be capable of AES-NI: https://ark.intel.com/Search/FeatureFilter?productType=processors&SocketsSupported=LGA1155&AESTech=true
It looks like each port is able to run full 1gbps as they advertise 2gbps if you "pair them together". Hopefully that means they would each be capable of fullduplex.
-
It isn't AES-NI. How big of a deal is this?
The deal is non-AES processors will become obsolete to pFsense in a year time.
Can upgrade CPU? as long as the new AES capable CPU uses the same socket. CAVIAT, there was Intel CPU refresh back in 2014? which required some Mobo to BIOS update before you can upgrade the CPU.
Isn't building your own fun?
-
Haha. I don't mind it. Especially if I can get it and all related hardware in a nice package for about $50 with an extra 250W power supply that I can immediately repurpose for something else.
These are the LGA1155 chips with AES-IN, so plenty of options and they are all prior to 2014, so probably won't have to mess with bios, which I would mind anyways.
https://ark.intel.com/products/65692/Intel-Core-i3-3225-Processor-3M-Cache-3_30-GHzThe current version of Pfsense doesn't require AES-IN? My machine is updated to the latest version at this time and I'm 100% certain my current processor in my pfsense setup isn't AES-IN.
With all that said, it looks like that ITX board/setup should work just great for what I want and have plenty of power and expandability.
-
pfSense 2.4.X (the current version) does not require AES-NI.
pfSense 2.5+ will require AES-NI or some other AES offloading. There is no hard timetable for that but it will likely be at least a year.
We have committed to continuing to support 2.4.X with security updates for 1 year following 2.5 release so there will be no sudden requirement to replace all your hardware overnight!
There are plenty of 3rd gen i5 options with AES-NI.
Steve
Edit: typo
-
We have committed to continuing to support 2.4.X with security updates for 1 year following 2.5 release…
Sorry, but I don't buy that anymore.
Exactly the same was said about 2.3 (the last version supporting NanoBSD and/or 32bit HW) but, if memory serves me right, it was short after 3 months that it was de-facto obsoleted. JWT explicitly announced NO updates for Meltdown and Spectre for NanoBSD installs / 32bit hardware.2.4.0 was released October 12, 2017 and received patches and fixes up to version 2.4.3
2.3.5 was released October 31, 2017 and got one maintenance release on December 14th, 2017 since.To be fair, there are snapshots of a 2.3.6 development branch on the server.
But I would neither want to run a rather old 2.3.5 nor a development branch on an internet facing device in production. This means that hardware, not capable of running a full 64bit pfSense install, is obsolete only 5 months after initial 2.4 release. That's somewhat different than a year, isn't it?Expect the same focus shift after a 2.5 release. Only buy AES-NI capable hardware today. And if you like pfSense then buy it from netgate's store (or one of their resellers).
-
“JWT explicitly announced NO updates for Meltdown and Spectre for NanoBSD installs / 32bit hardware.“
I announced no such thing. The mitigation’s aren’t available yet for 32-bit.
What Steve said is exactly right.
-
@jwt:
I announced no such thing. The mitigation’s aren’t available yet for 32-bit.
Well…
@https://www.netgate.com/blog/an-update-on-meltdown-and-spectre.html:By Jim Thompson
…snapshots including the fixes will only be available for pfSense
2.4.x and amd64 architecture."only 2.4.x and amd64 architecture" does explicitly mean: no 2.3.x, no 32bit, no NanoBSD, not even in the future.
You never said something like" these fixes are for 64bit FreeBSD only and therefore can be implemented in the 2.4.x branch only. When/if such code is available for 32bit FreeBSD we will update the 2.3.x branch accordingly."
-
"only 2.4.x and amd64 architecture" does explicitly mean: no 2.3.x, no 32bit, no NanoBSD, not even in the future.
Incorrect, it doesn't "explicitly mean" that at all. It's just how you chose to parse it.
While I understand how you got there, so I will say it explicitly, when those mitigations are available from FreeBSD (upstream), assuming they occur well enough before the October deadline for 2.3.x that we can bring them in, we will bring them into pfSense for 2.3.x as well.
Let's be 100% clear: If 2.4.x supported i386 today, there still wouldn't be any Spectre / Meltdown mitigations.
KPTI mitigations aren't even available for Ubuntu yet. See this: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/TechFAQ, but note: "However, even with KPTI support, a 32-bit x86 kernel cannot use PCID or INVPCID, so the performance impact will be severe."
-
Thanks for clearing this up, Jim.
Actually, the 32bit versions are not my main concern. NanoBSD is. Unfortunately, that's only available in 32 bit flavour.Edit: corrected. Thanks.
-
NanoBSD is. Unfortunately, that's only available in 32 bit flavour.
Shit! There actually was a 64-bit NanoBSD install? Upgrading 64-bit NanoBSD from 2.3 to 2.4
How could I miss that? Would have solved quite some issues for me "back then".
New installs will be (full) 2.4.x now anyways and existing installs on 32-bit hardware give a reason to contact clients and install new devices after years of service. -
Hi, how exactly were you able to fit the NIC adapter into the 1u case? I don't see any way how even a low profile adapter would be able to be slotted into a 1u case.
@inxsible said in Is it more cost effective to build my own PFSENSE box or just buy a small one?:
My LAN is gigabit all around except my current PFsense box, which is really the choke point of the system. It is super old hardware and one of the nics in it is absolutely super slow. I can't recall, but it is pretty awful.
I don't really see myself running any other software on pfsense other than what comes with it stock. I just like it because it is so configurable, however I would like the option to be able to run other programs/apps/whatever you want to call them on pfsense if I did see a need. Would the i3 version suffice for this or should I bump up to the i5?
I do have my current PFsense box running on VPN.
I built my own pfSense router based on J3355B for $106.68 – granted, I already had a 1U case that came with a PSU. But even if you add a picoPSU it would add about $10-$15. If you need a rackmount case then there is plinkUSA.com. Cheapest 1U rack case that will fit the J3355B is for $45. Or you can browse your local craigslist and get any case for about $10-$25 and replace whatever internals with a J3355B. It will handle gigabit WAN easily. What is your ISP speed currently? As long as you don't require more than 200-300Mbps over VPN, J3355B should serve your needs well since you mentioned you don't intend to run too many packages.
-
J3355B SoC https://www.newegg.com/Product/Product.aspx?Item=N82E16813157726&cm_re=j3355b--13-157-726--Product – $56.70 NEW + 1.99 Shipping
-
RAM - https://www.ebay.com/itm/SK-hynix-4GB-2Rx8-PC3L-12800S-DDR3-1600-SO-DIMM-204pin-HMT351S6EFR8A-PB-RAM/202274131369?epid=215825964&hash=item2f187a4da9:g:-wYAAOSw3MpavESY – $19.99 NEW
-
Intel i340-T4 - https://www.ebay.com/itm/IBM-Intel-Quad-Port-PCIe-Ethernet-Adapter-Low-Profile-94Y5167-49Y4242-Free-Ship/292491780397?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2055119.m1438.l2649 – $18.95 USED. I paid $28 for this when I bought it from a different seller. T2 might be cheaper if you look hard enough.
-
Case - about $10 USED to $45 NEW based on what you want
-
picoPSU - https://www.ebay.com/itm/NEW-DC-12V-250W-24Pin-ATX-Power-Supply-switch-PicoPSU-mini-ATOM-HTPC-ITX-PICO/323094106833?hash=item4b39e8d2d1:g:xoMAAOSwhvFZH~6g – $13.20 for a 250W NEW + 1.99 Shipping. You don't need that much. If you search for a 80W, you might find it cheaper
That's when buying most of the components NEW except the NIC. Totals up to $112.82 + case – the cost shouldn't go beyond $150 even if you buy a new case. There might be other non-rackmount cases that might be cheaper too and since as you mentioned, you have been using pfSense on super old hardware, this should feel like a great upgrade for the price.
@live4soccer7 said in Is it more cost effective to build my own PFSENSE box or just buy a small one?:
My LAN is gigabit all around except my current PFsense box, which is really the choke point of the system. It is super old hardware and one of the nics in it is absolutely super slow. I can't recall, but it is pretty awful.
I don't really see myself running any other software on pfsense other than what comes with it stock. I just like it because it is so configurable, however I would like the option to be able to run other programs/apps/whatever you want to call them on pfsense if I did see a need. Would the i3 version suffice for this or should I bump up to the i5?
I do have my current PFsense box running on VPN.
I built my own pfSense router based on J3355B for $106.68 – granted, I already had a 1U case that came with a PSU. But even if you add a picoPSU it would add about $10-$15. If you need a rackmount case then there is plinkUSA.com. Cheapest 1U rack case that will fit the J3355B is for $45. Or you can browse your local craigslist and get any case for about $10-$25 and replace whatever internals with a J3355B. It will handle gigabit WAN easily. What is your ISP speed currently? As long as you don't require more than 200-300Mbps over VPN, J3355B should serve your needs well since you mentioned you don't intend to run too many packages.
-
J3355B SoC https://www.newegg.com/Product/Product.aspx?Item=N82E16813157726&cm_re=j3355b--13-157-726--Product – $56.70 NEW + 1.99 Shipping
-
RAM - https://www.ebay.com/itm/SK-hynix-4GB-2Rx8-PC3L-12800S-DDR3-1600-SO-DIMM-204pin-HMT351S6EFR8A-PB-RAM/202274131369?epid=215825964&hash=item2f187a4da9:g:-wYAAOSw3MpavESY – $19.99 NEW
-
Intel i340-T4 - https://www.ebay.com/itm/IBM-Intel-Quad-Port-PCIe-Ethernet-Adapter-Low-Profile-94Y5167-49Y4242-Free-Ship/292491780397?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2055119.m1438.l2649 – $18.95 USED. I paid $28 for this when I bought it from a different seller. T2 might be cheaper if you look hard enough.
-
Case - about $10 USED to $45 NEW based on what you want
-
picoPSU - https://www.ebay.com/itm/NEW-DC-12V-250W-24Pin-ATX-Power-Supply-switch-PicoPSU-mini-ATOM-HTPC-ITX-PICO/323094106833?hash=item4b39e8d2d1:g:xoMAAOSwhvFZH~6g – $13.20 for a 250W NEW + 1.99 Shipping. You don't need that much. If you search for a 80W, you might find it cheaper
That's when buying most of the components NEW except the NIC. Totals up to $112.82 + case – the cost shouldn't go beyond $150 even if you buy a new case. There might be other non-rackmount cases that might be cheaper too and since as you mentioned, you have been using pfSense on super old hardware, this should feel like a great upgrade for the price.
Thanks! I may just go this route. My ISP speed is only 50mb/s, so quite slow. How does this setup compare to the i3 or i5 of the qotom machines? I don't need a rack mount, a simple ITX case for this should work just fine.
-
-
@t1a said in Is it more cost effective to build my own PFSENSE box or just buy a small one?:
Hi, how exactly were you able to fit the NIC adapter into the 1u case? I don't see any way how even a low profile adapter would be able to be slotted into a 1u case.
The NIC goes in horizontally.
-
Yeah, exactly. You use a riser and fit it at 90° to the slot on the board.
Check out any 1U device that can fit an expansion card Such as:
https://www.netgate.com/docs/pfsense/solutions/xg-1537/io-ports.html#with-4-port-intel-1-gb-ethernet-expansion-cardSteve
-
@stephenw10 My apologies, I was a little unclear with my wording of the question. Using your J3355B type soc and a 1u case that fits the mini-itx board, it's still possible to get the nic adapter fitted in? I wasn't aware they had riser type cards for these socs to be able to fit it horizontally like you mentioned. I didn't want to get a 'cube/tower' like case.
-
@t1a a simple 1:1 riser card is pretty generic (e.g., https://www.newegg.com/Product/Product.aspx?Item=9SIAE7R5YV3774&cm_re=riser_card--9SIAE7R5YV3774--Product) there are also flexible cable versions if there are geometry issues. Multiport risers may have more compatibility issues. You should be able to get the riser wherever you get the case.
-
@t1a Correct. They go in horizontally using a riser card.
A couple of things to consider:
- You need a right angled riser or a ribbon card
- You need to know how big your 1U case is. For example if you 1U case ONLY supports Mini-ITX, then a single angled riser/ribbon would suffice. But if your case supports mini-ITX & microATX, then apart from angled riser/ribbon, you will also need a riser extender to reach that open gap in the case where the card will fit.
Something like this:
https://www.ebay.com/itm/PCI-EXPRESS-PCIE-8x-x8-Riser-Card-Extension-Adapter-for-1U-2U-Low-Profile-NEW/281044270981?hash=item416f8b3f85:g:mF8AAOxyDvxQ3vK9
Or get a ribbon riser with extra long length. I trust hard chips better than ribbons because 1U cases already have less space, and ribbons seem to clutter up the space too much.
